NIST to NSA: get your hands off our encryption (please)

NIST cryptographers want to be able to reject NSA guidance.

Germans reveal new NSA XKeyScore internet monitoring
Germans reveal new NSA XKeyScore internet monitoring

A working/advisory group set up by NIST - the US National Institute for Standards and Technology - to look at reports that the NSA was intimately aware of the inner workings of NIST's encryption technologies, has broken ranks, warning that the National Institute must be able to reject any cryptography `guidance' from the NSA when it is warranted.

Given the tight rein that the US government maintains on encryption and security technology - usually routed via the DHS  (the Department of Homeland Security) - the public announcement has surprised many cryptography industry watchers.   

Late last year, NIST set up an investigations group - VCAT, the Visiting Committee on Advanced Technology - to examine the process NIST used to develop encryption standards following disclosures by Edward Snowden that the NSA had weakened encryption standards to make it easier for the agency to eavesdrop on encrypted communication traffic.

The VCAT report issued this week recommends that NIST make changes to its interaction with the NSA "where it hinders NIST's ability to independently develop the best cryptographic standards to serve not only the US government but the broader community."

Amongst the report's many recommendations are that NIST needs to make the process for developing its encryption standards more open and transparent - and include the broader cryptographic community as well.

According to Willie May, NIST's acting director, ensuring the agency has a process that delivers strong cryptography and protects the integrity of standards and guidelines is NIST's highest priority.

"We appreciate this review by the VCAT and the individual Committee of Visitor experts. NIST has already taken several steps to strengthen the process for developing cryptographic standards and will carefully consider these recommendations," he explained.

In its report, the VCAT noted that "it is of paramount importance that NIST's process for developing cryptographic standards is open and transparent and has the trust and support of the cryptographic community."

As a result, the committee recommends that NIST explore "in addition to the current avenues, expanding its programmes to engage academia and outside experts to aid in the review of specific technical topics.”

The report also recommends that NIST review the current requirement for interaction with the NSA and recommends changes in instances where it "hinders [NIST's] ability to independently develop the best cryptographic standards."

Commenting on the NIST report, Nigel Stanley, cyber security practice lead for OpenSky UK, said that it has been proven over the years that the secret to good encryption is having strong algorithms that have been well implemented.

"Where I have seen a failure of an encryption solution it was inevitably down to not following these rules. Over the years the encryption community including academics, industry and standards bodies have worked hard in an open and collaborative way to build robust systems," he said.

"As soon as one of these community members is seen to be compromised it casts a shadow across us all. The industry needs clarity around the NIST and NSA relationship and hopefully this report can help deliver it,” he added.

Leading analyst and Quocirca director Bob Tarzey was in agreement: "Of course NIST should pursue the best possible crypto-standards and practices. The only reason I can think of as to why the NSA would want to overrule NIST's advice is because it wants to able to break encryption," he said.

"Where the NSA has the legal powers to do so it can demand data to be unencrypted, where it does not, it is snooping, and NIST should not be aiding this," he added.